b'     Department of Homeland Security\n\n     \xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\n\n\n DHS\' Efforts to Coordinate the Activities of Federal \n\n             Cyber Operations Centers \n\n\n\n\n\nOIG-14-02                                  October 2013\n\n\x0c                         OFFICE OF INSPECTOR GENERAL\n                             Department of Homeland Security\n                             Washington, DC 20528 / www.oig.dhs.gov\n                                October 24, 2013\n\nMEMORANDUM FOR: \t            The Honorable Suzanne Spaulding\n                             Acting Under Secretary\n                             National Protection and Programs Directorate\n\nFROM:                       \t harles K. Edwards\n\n                            C\n                            Deputy Inspector General\n\nSUBJECT: \t                   DHS\xe2\x80\x99 Efforts To Coordinate the Activities of Federal Cyber\n                             Operations Centers\n\nAttached for your information is our final report, DHS\xe2\x80\x99 Efforts To Coordinate the\nActivities of Federal Cyber Operations Centers. We incorporated your formal comments\nin the final report.\n\nThe report contains seven recommendations aimed at improving the effectiveness of\ncoordinating the activities of the Federal cyber operations centers. Your office\nconcurred with all recommendations. As prescribed by the Department of Homeland\nSecurity Directive 077-1, Follow-Up and Resolutions for the Office of Inspector General\nReport Recommendations, within 90 days of the date of this memorandum, please\nprovide our office with a written response that includes your (1) agreement or\ndisagreement, (2) corrective action plan, and (3) target completion date for each\nrecommendation. Also, please include responsible parties and any other supporting\ndocumentation necessary to inform us about the current status of the recommendation.\nOnce your office has fully implemented the recommendations, please submit a formal\ncloseout letter to us within 30 days so that we may close the recommendations. The\nmemorandum should be accompanied by evidence of completion of agreed-upon\ncorrective actions. Please email a signed PDF copy of all responses and closeout\nrequests to OIGITAuditsFollowup@oig.dhs.gov. Until your response is received and\nevaluated, the recommendations will be considered open and unresolved.\n\nConsistent with our responsibility under the Inspector General Act, we will provide\ncopies of our report to appropriate congressional committees with oversight and\nappropriation responsibility over the Department of Homeland Security. We will post\nthe report on our website for public dissemination.\n\nPlease call me with any questions, or your staff may contact Frank W. Deffer,\nAssistant Inspector General for Information Technology Audits, at (202) 254-4100.\n\nAttachment\n\x0c                                      OFFICE OF INSPECTOR GENERAL\n                                            Department of Homeland Security\n\n\n\nTable of Contents\nExecutive Summary............................................................................................................. 1 \n\n\nBackground ......................................................................................................................... 2 \n\n\nResults of Audit ................................................................................................................... 4 \n\n\n           Actions Taken To Coordinate With Cyber Operations Centers Across the \n\n           Government ............................................................................................................ 4 \n\n\n           Common Cyber Tools and Standardized Incident Categories Are Needed To \n\n           Provide Shared Situational Awareness With Other Centers .................................. 5 \n\n           Recommendations .................................................................................................. 9 \n\n           Management Comments and OIG Analysis ............................................................ 9 \n\n\n           Additional Staffing Can Enhance NCCIC\xe2\x80\x99s Ability To Provide Continuous \n\n           Coverage ............................................................................................................... 10 \n\n           Recommendations ................................................................................................ 11 \n\n           Management Comments and OIG Analysis .......................................................... 11 \n\n\n           Specialized Training Needed ................................................................................. 12 \n\n           Recommendation...\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..14 \n\n           Management Comments and OIG Analysis \xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa614 \n\n\n           NPPD Needs To Update Its COOP Plan ................................................................. 14 \n\n           Recommendations ................................................................................................ 16 \n\n           Management Comments and OIG Analysis .......................................................... 17 \n\n\nAppendixes\n           Appendix A:          Objectives, Scope, and Methodology ............................................ 18 \n\n           Appendix B:          Management Comments to the Draft Report ............................... 20 \n\n           Appendix C:          Major Contributors to This Report ................................................ 23 \n\n           Appendix D:          Report Distribution ........................................................................ 24 \n\n\n\n\n\nwww.oig.dhs.gov                                                                                                         OIG-14-02\n\x0c                     OFFICE OF INSPECTOR GENERAL\n                        Department of Homeland Security\n\n\nAbbreviations\n       COOP       Continuity of Operations\n       CS&C       Office of Cybersecurity and Communications\n       CYBERCOM   Cyber Command\n       DC3        Defense Cyber Crime Center\n       DHS        Department of Homeland Security\n       DoD        Department of Defense\n       FBI        Federal Bureau of Investigation\n       FY         fiscal year\n       I&A        Office of Intelligence and Analysis\n       IC-IRC     Intelligence Community \xe2\x80\x93 Incident Response Center\n       ICS-CERT   Industrial Control Systems Cyber Emergency Response Team\n       NCC        National Coordinating Center for Telecommunications\n       NCCIC      National Cybersecurity and Communications Integration Center\n       NCIJTF     National Cyber Investigative Joint Task Force\n       NCIRP      National Cyber Incident Response Plan\n       NIST       National Institute of Standards and Technology\n       NO&I       NCCIC Operations and Integration\n       NPPD       National Protection and Programs Directorate\n       NTOC       National Security Agency/Central Security Service\n                  Threat Operations Center\n       OIG        Office of Inspector General\n       US-CERT    United States Computer Emergency Readiness Team\n\n\n\n\nwww.oig.dhs.gov                                                         OIG-14-02\n\x0c                          OFFICE OF INSPECTOR GENERAL\n                             Department of Homeland Security\n\n\nExecutive Summary\nWe audited the National Protection and Programs Directorate\xe2\x80\x99s (NPPD) efforts in\ncoordinating with cyber operations centers across the Federal Government. The recent\nincrease in cyber attacks has triggered an expansion of security initiatives and\ncollaboration between the Government and the private sector. The National\nCybersecurity and Communications Integration Center, which is the operational arm of\nthe Office of Cybersecurity and Communications within NPPD, is responsible for\nintegrating cyber threat information from the five Federal cybersecurity centers and\ncollaborating with these centers in responding to cyber security incidents that may pose\na threat to the Nation.\n\nNPPD has taken actions to coordinate and share vital cyber threat information with the\nfive Federal cyber operations centers. For example, NPPD has established partnerships\nwith the other centers to coordinate an effective response on cyber incidents. In\naddition, NPPD has increased interagency collaboration and communication through the\nuse of liaisons and participating in regular meetings. Finally, NPPD has issued\xe2\x80\x94in\ncollaboration with the Federal Bureau of Investigation\xe2\x80\x94Joint Indicator Bulletins to assist\nprivate sector partners in preventing cyber attacks and protecting intellectual property,\ntrade secrets, and sensitive business information from exploitation and theft.\n\nStill, the Department of Homeland Security (DHS) faces challenges in sharing cyber\ninformation among the Federal cyber operations centers. Specifically, DHS must\nprocure cyber tools and technologies to improve its situational awareness efforts. In\naddition, it needs to work with its cyber operations center partners to develop a\nstandard set of cyber incident reporting categories. Further, DHS has to address\ninsufficient staffing levels that hinder its ability to provide continuous coverage in all\nmission areas in the National Cybersecurity and Communications Integration Center\noperations center and conduct additional technical training needed to improve staff\xe2\x80\x99s\nincident response skills. Finally, it must update the NPPD Continuity of Operations Plan,\nand finalize and integrate it with the Office of Cybersecurity and Communications\xe2\x80\x99\nContinuity of Operations Plan and the National Cybersecurity and Communications\nIntegration Center\xe2\x80\x99s Continuity of Operations Plan.\n\nWe are making seven recommendations to DHS to improve its coordination and\ncollaboration with the Federal cyber operations centers across the Government. NPPD\nconcurred with all recommendations and has begun to take actions to implement them.\nNPPD\xe2\x80\x99s responses are summarized and evaluated in the body of this report and\nincluded, in their entirety, as appendix B.\n\n\n\n\nwww.oig.dhs.gov                             1                                    OIG-14-02\n\x0c                               OFFICE OF INSPECTOR GENERAL\n                                   Department of Homeland Security\n\n\nBackground\nThe recent increase in cyber attacks has triggered an expansion of security initiatives\nand collaboration between the Government and the private sector. NPPD is primarily\nresponsible for fulfilling DHS\xe2\x80\x99 National, non-law enforcement cybersecurity missions.\nThrough the Office of Cybersecurity and Communications (CS&C), a sub-component of\nNPPD, the Department provides crisis management and coordination in response to\nsteady-state and significant cyber incident response activities; coordinates and\nintegrates information from the Federal cyber operations centers, state and local\ngovernments, and the private sector; and maintains an organization to serve as a focal\npoint for the security of cyberspace.1\n\nIn October 2012, CS&C realigned its divisions to enhance the security, resiliency, and\nreliability of the Nation\xe2\x80\x99s cyber and communications infrastructure. Figure 1 illustrates\nthe realignment of CS&C with a specific breakdown of the National Cybersecurity and\nCommunications Integration Center\xe2\x80\x99s (NCCIC) component structure.\n\n\n\n\nFigure 1: CS&C Organizational Chart\n\n\n\n1\n  A steady-state incident is an everyday cyber incident (e.g., daily intrusion and probes from sources). A\nsignificant cyber incident is a set of conditions that requires increased national coordination and may\ndestroy, degrade, or disrupt the cyber infrastructure or integrity of the information.\n\n\nwww.oig.dhs.gov                                      2                                           OIG-14-02\n\x0c                          OFFICE OF INSPECTOR GENERAL\n                              Department of Homeland Security\n\nThe NCCIC, which is the operational arm of CS&C, coordinates national efforts and\nworks directly with Federal, state, local, tribal and territorial governments, and private\nsector partners. NCCIC serves as a 24/7 centralized location where operational\nelements involved in cybersecurity and communications reliance are coordinated and\nintegrated. The NCCIC comprises the following four branches:\n\n       NCCIC Operations and Integration (NO&I)\xe2\x80\x94utilizes planning, coordination, and\n       integration capabilities to synchronize analysis, information sharing, and incident\n       management efforts across NCCIC divisions.\n\n       United States Computer Emergency Readiness Team (US-CERT)\xe2\x80\x94identifies and\n       analyzes suspicious activities, probable intrusions, and confirmed events, and\n       responds to manage risk.\n\n       Industrial Control Systems Cyber Emergency Response Team (ICS-CERT)\xe2\x80\x94\n       operates in four focus areas: situational awareness for critical infrastructure and\n       key resources stakeholders; incident response and technical analysis for control\n       systems incidents; control systems vulnerability coordination; collaboration with\n       other government departments and agencies to address control systems and\n       critical infrastructure risks.\n\n       National Coordinating Center for Telecommunications (NCC)\xe2\x80\x94leads and\n       coordinates the initiation, restoration, and reconstitution of the national\n       security/emergency preparedness telecommunications services or facilities\n       under all conditions.\n\nThe Comprehensive National Cybersecurity Initiative was established in 2008 to enable\nand support shared situational awareness and collaboration across the Federal cyber\noperations centers that are responsible for carrying out United States cyber activities.\nThe need to share information on malicious activities detected on government networks\nbetween Federal cyber operations centers is vital to coordinate an effective response\nand have a better understanding of the threats against government information\nsystems. For example, NCCIC communicates and shares vital cyber threat information\nwith the following Federal cyber centers:\n\n       United States Cyber Command (CYBERCOM), operated by the Department of\n       Defense (DoD), establishes and maintains situational awareness and directs the\n       operations and defense of the \xe2\x80\x9c.mil\xe2\x80\x9d networks.\n\n       Defense Cyber Crime Center (DC3), operated by DoD, sets standards for digital\n       evidence processing, analysis, and diagnostics for DoD investigations that require\n\n\n\nwww.oig.dhs.gov                              3                                    OIG-14-02\n\x0c                              OFFICE OF INSPECTOR GENERAL\n                                  Department of Homeland Security\n\n        computer forensic support to detect, enhance, or recover digital media,\n        including audio and video.\n\n        Intelligence Community \xe2\x80\x93 Incident Response Center (IC-IRC), operated by the\n        Intelligence Community, provides attack sensing and warning capabilities to\n        characterize cyber threats and attribution of attacks and anticipates future\n        incidents.\n\n        National Cyber Investigative Joint Task Force (NCIJTF), operated by the\n        Department of Justice\xe2\x80\x99s Federal Bureau of Investigation (FBI), serves as the\n        multiagency national focal point for coordinating, integrating, and sharing\n        pertinent information related to cyber threat investigations across all national\n        security and criminal law enforcement programs.\n\n        National Security Agency/Central Security Service Threat Operations Center\n        (NTOC), operated by the National Security Agency, establishes real-time network\n        awareness and threat characterization capabilities to forecast, alert, and\n        attribute malicious activity.\n\nIn September 2010, DHS developed the National Cyber Incident Response Plan (NCIRP)\nto integrate and build on current efforts to collaborate with Federal cyber operations\ncenters and move the Nation toward a more robust common operational picture\ncapability by integrating Federal, state, local, tribal, and territorial resources; critical\ninfrastructure and key resources; and the private sector.2 Effectively understanding\nrisks in cyberspace requires that a wide range of departments, agencies, and\norganizations collaborate on a daily basis to identify threats, vulnerabilities, and\npotential consequences. The NCIRP is currently being revised by DHS based on the lessons\nlearned from the National Level Exercise 2012 and recent cyber incidents.\n\nResults of Audit\n\nActions Taken To Coordinate With Cyber Operations Centers Across the Government\n\nNCCIC has taken several positive steps to coordinate and collaborate with Federal cyber\noperations centers across the Government. For example, NCCIC:\n\n\n\n\n2\n A common operational picture is a single identical display of relevant operational information (i.e.,\nnetwork operations and monitoring, attack sensors, and cyber threat investigations) shared by multiple\nsources. It facilitates collaborative planning and assists all units to achieve situational awareness.\n\n\nwww.oig.dhs.gov                                    4                                          OIG-14-02\n\x0c                              OFFICE OF INSPECTOR GENERAL\n                                  Department of Homeland Security\n\n\n                  Enhanced partnerships with other Federal cyber operations centers to\n                  respond and coordinate on specific incidents that pose a risk to the\n                  United States.\n\n                  Increased interagency collaboration and communication through the use\n                  of NCCIC liaisons, telephone calls, email, and regular meetings to leverage\n                  each organization\xe2\x80\x99s expertise and unique authorities to execute DHS\xe2\x80\x99\n                  cybersecurity mission more effectively and efficiently.\n\n                  Collaborated with the FBI and other public and private sector partners by\n                  issuing Joint Indicator Bulletins that contain cyber threat indicators to\n                  assist network defenders in preventing cyber attacks and protecting their\n                  intellectual property, trade secrets, and sensitive business information\n                  from exploitation and theft.\n\n                  Performed functional/tabletop and no-notice (i.e., unscheduled)\n                  exercises to enhance the awareness of NCCIC\xe2\x80\x99s and Federal cyber\n                  operation centers\xe2\x80\x99 capabilities, validated plans and procedures, and\n                  coordinated relationships among partners.3\n\n        Although notable actions have been taken, NPPD still faces challenges in sharing\n        cyber threat information with other Federal cyber operations centers.\n        Specifically, NPPD can develop or procure common cyber tools and technologies,\n        finalize and integrate CS&C and NCCIC Continuity of Operations (COOP) Plans,\n        and provide continuous staff coverage and technical training to ensure that it\n        can meet its critical operational mission requirements under all conditions.\n\n        Common Cyber Tools and Standardized Incident Categories Are Needed To\n        Provide Shared Situational Awareness With Other Centers\n\n        The NCCIC and Federal cyber operations centers collectively do not have a\n        common tool suite that can provide shared situational awareness and enhance\n        coordinated incident management capabilities among the centers during an\n        incident. Specifically, Federal cyber operations centers do not have a common\n        incident management system tool that tracks, updates, shares, and coordinates\n        cyber information with each other. Additionally, the NCCIC and Federal cyber\n        operations centers have not standardized a set of categories for reporting\n3\n The NCCIC Internal Exercise program consists of two exercise categories: functional/tabletop and no-\nnotice. Functional/tabletop exercises are designed to engage NCCIC stakeholders or enhance partner\ncoordination relationships. They can be conducted as a discussion-based tabletop exercise or an\noperations-based functional exercise. No-notice exercises are functional exercises that are unannounced\nto floor players. No-notice exercises are designed to train the NCCIC personnel on internal procedures.\n\n\nwww.oig.dhs.gov                                    5                                         OIG-14-02\n\x0c                         OFFICE OF INSPECTOR GENERAL\n                             Department of Homeland Security\n\n       cybersecurity incidents. Without a common incident management tool suite and\n       standardizing security incident categorization, NCCIC and other Federal cyber\n       operations centers will face a constant challenge in sharing cyber incident\n       information and coordinating an effective response.\n\n       Common Cyber Tools\n\n       Currently, NCCIC relies on US-CERT\xe2\x80\x99s ticketing system, which is designed\n       primarily to track the status of information technology operations, to maintain\n       cyber incident information. US-CERT\xe2\x80\x99s ticketing system captures cyber incident\n       information, such as incident occurrence and reporting dates, email\n       correspondence between the reporting/affected agency and US-CERT, and\n       phone conversations regarding the events. However, this ticketing system does\n       not link situational awareness products (i.e., alerts and bulletins) that have been\n       issued and are associated with a specific cyber incident, threat, or vulnerability.\n       As such, incidents may not be consistently tracked, categorized, or managed\n       seamlessly across other NCCIC components. Since NCCIC integrates cyber threat\n       information from other Federal operations centers, having a common cyber tool\n       will allow NCCIC to provide a comprehensive view of cyber activity across the\n       intelligence, defense, civil, and law enforcement communities.\n\n       Federal cyber operations centers often share their information with one another.\n       However, no single entity combines all information available from these centers\n       and other sources to provide a continuously updated, comprehensive picture of\n       cyber threat and network status to provide indications and warning of imminent\n       incidents, and to support a coordinated incident response. Specifically, NCCIC\n       does not have the tools and technologies to support continuous updates,\n       improve efficiencies and prevent duplicative efforts in information sharing.\n       Potential solutions include tools and technologies for incident management,\n       shared knowledge management database, automatic call distribution and media\n       tracking systems, dashboards, and enterprise reports for analytics which should\n       be consolidated by the NCCIC. According to NCCIC officials, both funding and\n       technology are needed to improve information sharing.\n\n       Further, having a common set of cyber tools will allow NCCIC to provide\n       indicators and warning information to alert key organizations of emerging\n       threats to the Nation\xe2\x80\x99s cyber infrastructure. According to the NCCIC Director,\n       there is no national system or common cyber tool currently in place for the\n       Federal cyber centers to share information. Additionally, the NCCIC Director\n       acknowledged that having a common cyber tool and technology could allow the\n       centers to provide actionable information to prevent and reduce the harm from\n       cyber threats and vulnerabilities electronically, on a real time basis.\n\n\nwww.oig.dhs.gov                             6                                    OIG-14-02\n\x0c                              OFFICE OF INSPECTOR GENERAL\n                                  Department of Homeland Security\n\n\n\n        Standardized Cyber Incident Categories\n\n        The Federal cyber operations centers have not agreed on a standard set of\n        categories for reporting incidents. Currently, DoD uses a 10-incident category\n        system; DHS uses a 7-incident category system. In an attempt to standardize the\n        incident categories, DoD developed a matrix that identifies the commonalities\n        and differences between the DoD and DHS category systems. DoD\n        acknowledges the need to establish common incident and event categories\n        between DoD and DHS. Figure 2 illustrates the matrix.\n\n          DoD Cyber Incident and Reportable Cyber             DHS Incident and Reportable Event\n                       Event Categories                                   Categories\n          Category 0: Training and Exercises                Category 0: Exercise/Network Defense\n                                                            Testing\n          Category 1: Root-Level Intrusions                 Category 1: Unauthorized Access\n          Category 2: User-Level Intrusions                 Category 1: Unauthorized Access\n          Category 3: Unsuccessful Activity Attempt         Category 5: Scans/Probes/Attempted\n                                                            Access\n          Category 4: Denial of Service                     Category 2: Denial of Service\n          Category 5: Non-Compliance Activity               Category 4: Improper Usage\n          Category 6: Reconnaissance                        Category 5: Scans/Probes/Attempted\n                                                            Access\n          Category 7: Malicious Code                        Category 3: Malicious Code\n          Category 8: Investigating                         Category 6: Investigation\n          Category 9: Explained Anomaly\n         Figure 2: Matrix of DoD and DHS Incident and Events Categories4\n\n        Recognizing that establishing common operational terms can improve the\n        efficiency of information sharing between Federal cyber operations centers, the\n        IC-IRC has proposed to revise the cyber-incident categorization in the\n        Intelligence Community. The goal of IC-IRC\xe2\x80\x99s effort is to serve as a first step to\n        building a foundation for operational commonality between the centers to\n        strengthen cyber defense. For example, IC-IRC has determined that some of the\n        categories are not actually incident categories, but rather indications of attack\n        vectors or investigative types. While CYBERCOM did not respond to our inquiry,\n        DC3 and IC-IRC officials told us they have adopted the DoD\xe2\x80\x99s 10-incident\n        category system. NTOC also adopted a system similar to DoD\xe2\x80\x99s 10-incident\n        category system with some differences. NCIJTF officials told us that DHS\xe2\x80\x99 set of\n\n\n4\n Source: Chairman of the Joint Chiefs of Staff Manual (CJCSM) 6510.01B, Appendix A to Enclosure B, Table\nB-A-3, dated 10 July 2012.\n\n\nwww.oig.dhs.gov                                    7                                         OIG-14-02\n\x0c                          OFFICE OF INSPECTOR GENERAL\n                             Department of Homeland Security\n\n       six Federal Agency Incident Categories does not apply to the NCIJTF or FBI\n       because the FBI does not have a cyber defense role.\n\n       Although the DoD and DHS incident category matrix has been established, CS&C\n       officials believe that further actions are needed. Specifically, CS&C officials are\n       working with the National Institute of Standards and Technology (NIST) to revise\n       the incident handling guidelines. These guidelines focus on the effect of an\n       incident instead of how the incident happened and could be used as a national\n       cybersecurity incident categorization system.\n\n       The Homeland Security Act of 2002 requires DHS to establish appropriate\n       systems, processes, and procedures to share homeland security information\n       relevant to threats and vulnerabilities in national critical infrastructure and key\n       resources with other Federal departments and agencies, state and local\n       governments, and the private sector in a timely manner. Additionally, the\n       Cyberspace Policy Review recommends the Federal Government develop\n       processes between all levels of Government and the private sector to assist in\n       preventing, detecting, and responding to cyber incidents by leveraging existing\n       resources. Further, the Government, working with key stakeholders, should\n       design an effective procedure to achieve a true common operating picture that\n       integrates information from the Government and the private sector as well as\n       serves as the basis for informed and prioritized vulnerability mitigation efforts\n       and incident response decisions.\n\n       Developing and implementing common cyber tools and standardized incident\n       categories are critical for monitoring, disseminating, and sharing cyber threat\n       information among NCCIC and other Federal cyber operations centers. Having\n       common cyber tools and technologies allow for continuously updated cyber\n       threat information between Federal cyber operations centers and provide\n       enhanced cross-domain situational awareness of cyber threats, vulnerabilities,\n       and consequences, as well as a coordinated incident response. Standardization\n       of categories would allow Federal cyber operations centers to clearly\n       communicate incidents and events, and improve the effectiveness of\n       information sharing activities.\n\n\n\n\nwww.oig.dhs.gov                              8                                    OIG-14-02\n\x0c                         OFFICE OF INSPECTOR GENERAL\n                            Department of Homeland Security\n\n       Recommendations\n\n       We recommend that the Acting Under Secretary, NPPD:\n\n       Recommendation #1:\n\n       Procure or develop tools and technologies with enhanced incident management\n       and analytical capabilities that can link situational awareness products to cyber\n       incidents.\n\n       Recommendation #2:\n\n       Collaborate with DoD and NIST to develop a standard set of incident categories\n       to ensure seamless information sharing between all Federal cyber operations\n       centers.\n\n       Management Comments and OIG Analysis\n\n       NPPD concurred with recommendation 1. The Acting Under Secretary stated\n       that NPPD and CS&C continuously work with a broad range of partners to\n       explore new ways to enhance information sharing and deliver operationally\n       relevant data in an efficient and effective manner. CS&C is working through its\n       Network Security Deployment division to improve existing information sharing\n       capabilities and bring new capabilities online as the information sharing\n       environment matures. Release of information sharing capabilities is planned\n       beginning in fiscal year (FY) 2014 and continuing through FY 2017. Technologies\n       and processes to improve discoverability and availability of data between and\n       among the cyber operations centers serve as a foundation to the information\n       sharing capability sets. These capabilities, coupled with automated\n       machine-to-machine data transfer, will greatly improve the ability to link data\n       sets and improve situational awareness.\n\n       We agree with the steps that NPPD has taken and plans to take to begin to\n       satisfy this recommendation. This recommendation will remain open and\n       unresolved until NPPD provides documentation to support that all planned\n       corrective actions are completed.\n\n       NPPD concurred with recommendation 2. The Acting Under Secretary stated\n       that NPPD and CS&C have already taken decisive steps to address this\n       recommendation as evidenced by revision two of the NIST Special Publication\n       800-61, published in August 2012. DHS is working with the National Security\n       Staff and the Office of Management and Budget to release new Federal\n\n\nwww.oig.dhs.gov                            9                                   OIG-14-02\n\x0c                         OFFICE OF INSPECTOR GENERAL\n                             Department of Homeland Security\n\n       reporting guidance in the coming months. While DHS and DoD have distinct\n       mission needs in the cyber environment, DHS will continue to work with DoD to\n       streamline the flow of appropriate information between the two agencies.\n\n       We agree with the steps that NPPD has taken and plans to take to begin to\n       satisfy this recommendation. This recommendation will remain open and\n       unresolved until NPPD provides documentation to support that all planned\n       corrective actions are completed.\n\n       Additional Staffing Can Enhance NCCIC\xe2\x80\x99s Ability To Provide Continuous\n       Coverage\n\n       NCCIC\xe2\x80\x99s operational capabilities to respond to specific incidents may be hindered\n       by the inability of the Office of Intelligence and Analysis (I&A) and ICS-CERT to\n       provide their specialized functions on an around-the-clock basis. Specifically,\n       NCCIC needs to have sufficient staffing to perform intelligence analysis functions\n       and respond to industrial control systems incidents after work hours and on\n       weekends. Since cyber attacks can happen at any time, it is imperative for NCCIC\n       to have sufficient resources to respond to and mitigate potential threats.\n\n       Currently, I&A provides all-source intelligence watch and warning, operational\n       support, and analysis and production on current, emerging, and potential\n       threats. Additionally, I&A analysts work with NCCIC to ensure that information is\n       incorporated with the Intelligence Community sources to provide a complete\n       assessment of threats to the Nation. Further, I&A analysts are assigned to\n       specific sectors based on a particular adversary\xe2\x80\x99s interest or activity within those\n       sectors. However, I&A\xe2\x80\x99s analysts can currently provide coverage only for\n       14 hours per day for 5 days per week. This leaves a weekly total of 98 hours\n       (using a 24/7basis) that I&A is not providing coverage to support the NCCIC.\n\n       ICS-CERT provides technical analysis and forensic investigations of industrial\n       control system incidents and vulnerabilities. Additionally, these analysts provide\n       actionable situational awareness to public and private sector partners.\n       Currently, ICS-CERT personnel operate on a work schedule of 12 hours per day\n       for 5 days per week. ICS-CERT does not currently have the required personnel to\n       assist in the continuous operations of NCCIC based on current managing levels.\n\n       NCCIC management recognizes the need for additional staffing and informed us\n       that they have requested more analysts from I&A so that NCCIC can provide\n       more threat intelligence and analysis to all sectors under all conditions. In\n       addition, NCCIC management indicated that they did not have funding to hire\n       more personnel to respond to incidents regarding industrial control systems\n\n\nwww.oig.dhs.gov                             10                                   OIG-14-02\n\x0c                         OFFICE OF INSPECTOR GENERAL\n                             Department of Homeland Security\n\n       during high operational periods. Finally, NCCIC management added that they\n       had also requested additional resources to provide more timely responses to\n       stakeholders.\n\n       Without additional staffing for continuous coverage, the NCCIC may not be able\n       to perform effectively all of its assigned responsibilities and provide immediate\n       incident response and coordination with Federal cyber operations centers.\n       Additionally, NCCIC may experience challenges in developing and rapidly\n       distributing cybersecurity advisories and bulletins, and directly responding to\n       and assisting its industrial control systems partners to mitigate the threats from\n       cyber incidents.\n\n       Recommendations\n\n       We recommend that the Acting Under Secretary, NPPD:\n\n       Recommendation #3:\n\n       Augment staffing by adding additional staffing to execute ICS-CERT mission to\n       provide full coverage on the operations floor.\n\n       Recommendation #4:\n\n       Collaborate with I&A management to increase the number of its analysts\n       available for continuous coverage at the NCCIC to provide more intelligence and\n       analysis to all sectors.\n\n       Management Comments and OIG Analysis\n\n       NPPD concurred with recommendation 3. The Acting Under Secretary stated\n       that the ICS-CERT\xe2\x80\x99s FY 2014 President\xe2\x80\x99s Budget Request includes an increase of\n       five full time equivalents. NPPD and CS&C will continue to pursue opportunities\n       to provide additional staffing to enhance the ICS-CERT mission.\n\n       We agree with the steps that NPPD has taken and plans to take to begin to\n       satisfy this recommendation. This recommendation will remain open and\n       unresolved until NPPD provides documentation to support that all planned\n       corrective actions are completed.\n\n       NPPD concurred with recommendation 4. The Acting Under Secretary stated\n       that I&A provides all-source intelligence watch and warning, operational\n       support, and analysis and production on current, emerging, and potential threats\n\n\nwww.oig.dhs.gov                            11                                    OIG-14-02\n\x0c                               OFFICE OF INSPECTOR GENERAL\n                                   Department of Homeland Security\n\n        to NCCIC. I&A also serves as a critical link between the NCCIC and the\n        Intelligence Community by ensuring DHS\xe2\x80\x99 information requirements are met and\n        by sharing DHS\xe2\x80\x99 threat information with the Intelligence Community. The Under\n        Secretary, I&A, will continue efforts to increase staffing to the NCCIC to provide\n        continuous coverage within the constrained budget and resource environment.\n\n        We agree with the steps that NPPD has taken and plans to take to begin to\n        satisfy this recommendation. This recommendation will remain open and\n        unresolved until NPPD provides documentation to support that all planned\n        corrective actions are completed.\n\n        Specialized Training Needed\n\n        NCCIC does not have sufficient resources to provide specialized training to\n        incident responders. Additionally, analysts need to be trained on how to use\n        various playbooks and processes to communicate incidents to Federal cyber\n        operations center partners. Further, NCCIC must update its training and\n        evaluation plan to reflect the new training on qualifications standards specified\n        in the recently revised Concept of Operations. Without providing specialized\n        training, NCCIC analysts may not possess the full scope of skills necessary to\n        perform their assigned incident response and mitigation duties in the event of a\n        cybersecurity attack.\n\n        As a result of the Federal Government\xe2\x80\x99s sequestration of FY 2013 funds, in\n        March 2013, NPPD suspended all training for its personnel until further notice.5\n        To meet the training requirements, NPPD personnel are obtaining free training\n        through DHS\xe2\x80\x99 centralized learning management system, attending local\n        conferences, or enrolling in training courses that are provided by other Federal\n        cyber operations centers (e.g., DC3) and the Federal Emergency Management\n        Agency\xe2\x80\x99s Emergency Management Institute. However, this free training does\n        not provide incident responders with the specialized training needed to perform\n        their assigned functions.\n\n        Our review of selected training records between 2009 to 2013 revealed that only\n        10 of 22 NCCIC analysts had received technical training (e.g., security and\n        network fundamentals, introduction to malware analysis, incident handling\n        methodology, and introduction to the forensics process). The lack of training\n        funds has led many analysts to rely more on personal knowledge instead of the\n\n5\n Sequestration refers to automatic spending cuts in particular categories of Federal outlays as directed in\nthe Budget Control Act of 2011. Originally set to occur in January 2013, sequestration was postponed to\nMarch 2013 by the American Taxpayer Relief Act of 2012.\n\n\nwww.oig.dhs.gov                                     12                                          OIG-14-02\n\x0c                              OFFICE OF INSPECTOR GENERAL\n                                  Department of Homeland Security\n\n        technical training to identify, respond to, and mitigate incidents. During recent\n        NCCIC exercises, analysts relied on personal expertise and institutional\n        knowledge of their colleagues rather than documented processes to perform\n        their assigned duties. In exercise after-action reports, NCCIC officials\n        acknowledged that providing specialized training to its staff is essential for\n        accessing and analyzing information for future cyber incident response and\n        mitigation.\n\n        Further, our review of NCCIC\xe2\x80\x99s after-action reports revealed that the playbooks\n        were underutilized by floor personnel, which resulted in limited execution of\n        appropriate operational actions.6 The after-action reports recommend that\n        playbooks be included in future training and exercises to enhance incident\n        response capability.\n\n        In February 2013, NCCIC developed a training and exercise plan that\n        incorporated learning material for Federal cyber operation center participants.\n        Additionally, NCCIC has recently updated its Concept of Operations and plans to\n        update its training and exercise plan to align both documents. Further, all NCCIC\n        sub-components are required to use the recently revised personnel\n        qualifications standards document to ensure their personnel are properly trained\n        to perform their assigned duties by tracking formal or operationally focused\n        training they attend.\n\n        The Comprehensive National Cybersecurity Initiative, January 2008, Initiative #8\n        recommends that the Nation develop a technologically-skilled and cyber-savvy\n        workforce to ensure a continued technical advantage and future cybersecurity.\n        Additionally, NIST recommends security personnel be provided appropriate\n        training to combat the latest cybersecurity threats and vulnerabilities.\n\n        By providing specialized technical training to its analysts, NCCIC will increase its\n        personnel\xe2\x80\x99s knowledge in current cyber threats, risks, trends, and mitigation\n        techniques. By leveraging the National Cybersecurity Education Office\n        assistance, NCCIC can enhance the performance, qualifications, and skills of its\n        analysts necessary to perform incident response and mitigation functions in the\n        event of a cybersecurity attack.\n\n\n\n\n6\n Playbooks aid analysts during active cyber attack situations. They are used to quickly determine the best\nactions to take when faced with a given situation. The playbooks contain the adversarial moves that\nanalysts may expect to see and countermoves believed to be effective against those moves.\n\n\nwww.oig.dhs.gov                                    13                                          OIG-14-02\n\x0c                              OFFICE OF INSPECTOR GENERAL\n                                   Department of Homeland Security\n\n        Recommendation\n\n        We recommend that the Acting Under Secretary, NPPD:\n\n        Recommendation #5:\n\n        Revise the training and exercise plan to include the new qualifications and\n        standards specified in the Concept of Operations to ensure NCCIC personnel\n        receive the proper training, certifications, and qualifications to perform their\n        assigned duties.\n\n        Management Comments and OIG Analysis\n\n        NPPD concurred with recommendation 5. The Acting Under Secretary stated\n        that NCCIC personnel participate in internally and externally hosted exercises to\n        ensure they are fully trained on processes and procedures. NCCIC has begun to\n        expand training opportunities for staff and will continue to do so as funding\n        becomes available.\n\n        We agree with the steps that NPPD has taken and plans to take to begin to\n        satisfy this recommendation. This recommendation will remain open and\n        unresolved until NPPD provides documentation to support that all planned\n        corrective actions are completed.\n\n        NPPD Needs To Update Its COOP Plan\n\n        NCCIC\xe2\x80\x99s ability to timely restore its mission-essential functions in the event of an\n        emergency may be hindered by an outdated NPPD COOP Plan.7 Continuity of\n        operations planning is designed to maintain or restore business operations,\n        including computer and cyber operations, possibly at an alternate location, in\n        the event of an emergency or disaster. However, NPPD has not updated its\n        COOP to reflect the October 2012 realignment. As a result, CS&C and its sub\xc2\xad\n        components, including NCCIC, are relying on an outdated NPPD COOP Plan to\n        restore mission-essential functions in the event of an emergency.\n\n        In June 2013, CS&C drafted its COOP Plan that identifies and addresses\n        additional requirements unique to its specific functions and reflects the October\n        2012 realignment. Further, the CS&C COOP Plan has a functional annex that\n        identifies NCCIC\xe2\x80\x99s essential functions and essential supporting activities, and\n\n7\n The purpose of a COOP plan is to establish a set of prioritized mission and business processes that must\nbe sustained within 12 hours and for up to 30 days should interruptions occur.\n\n\nwww.oig.dhs.gov                                    14                                          OIG-14-02\n\x0c                            OFFICE OF INSPECTOR GENERAL\n                                Department of Homeland Security\n\n       reflects the updated operational framework and capabilities of the realigned\n       CS&C. However, CS&C\xe2\x80\x99s COOP Plan, which should cascade down from NPPD, is\n       not finalized. In the event that NCCIC is required to provide continuous\n       operations at an alternate site, the outdated NPPD COOP Plan document would\n       not provide the specific guidance for sustaining performance.\n\n       Our review of the NPPD COOP Plan and its annexes revealed that the National\n       Cyber Security Division, which was abolished as a result of the October 2012\n       realignment, has not been removed from the annex. Further, the NPPD COOP\n       Plan does not reflect the current position of the Directorate\xe2\x80\x99s senior\n       management staff in its order of succession and contains incorrect and outdated\n       information for certain key personnel in the emergency contact list. Finally, the\n       NPPD COOP Plan does not contain detailed risk management practices and\n       procedures to assist organizations in accomplishing continuity objectives.\n\n       An NPPD official told us that the annual review and update to the COOP Plan is\n       scheduled for the fourth quarter of FY 2013 and will include all subcomponents\n       of the Directorate. Additionally, NPPD\xe2\x80\x99s orders of succession and associated\n       information will be updated as required during the 2013 annual review. Further,\n       the official told us that a business impact analysis, which is to be reviewed\n       bi-annually, was last completed in 2009 including the assessment of risks of all\n       NPPD subcomponents.\n\n       Further, NCCIC\xe2\x80\x99s revised COOP Plan has not been communicated effectively to its\n       staff to ensure the successful restoration of its mission-essential functions. For\n       example, the following deficiencies were identified in the after-action reports\n       during NCCIC\xe2\x80\x99s March and April 2013 COOP exercises:\n\n                  Floor leadership positions were not clearly identified and communicated\n                  to all floor staff. As a result, many floor personnel appeared unsure of\n                  who had the lead for coordinating overall floor activities in response to\n                  the escalating events.\n\n                  While NCC, ICS-CERT, and US-CERT communicated well within their\n                  individual components, NCCIC officials acknowledged that\n                  cross-component information sharing, both verbal and electronic, during\n                  heightened levels of operations could be improved.\n\n                  ICS-CERT noted that they were not being consulted prior to the first\n                  dissemination of the situational alert.\n\n\n\n\nwww.oig.dhs.gov                               15                                   OIG-14-02\n\x0c                              OFFICE OF INSPECTOR GENERAL\n                                  Department of Homeland Security\n\n        Agencies are required to review their essential functions and business process\n        analyses annually and document the date of the review and names of personnel\n        conducting the review.8 Additionally, organizations must incorporate any\n        identified changes generated by new organizational programs or functions or by\n        organizational changes to existing programs or functions. Further, organizations\n        must revise orders of succession as necessary and distribute any revisions\n        promptly to appropriate authorities and personnel. The directive also requires\n        that a continuity risk assessment includes an assessment of the likelihood of\n        threats and hazards to normal operations and public safety and their\n        consequences. Finally, agencies are required to develop a COOP plan.9\n\n        A current and well-tested COOP plan can ensure the recovery of mission\n        essential functions should interruptions occur. Finalizing CS&C\xe2\x80\x99s COOP Plan will\n        allow NCCIC to respond appropriately to cyber-related incidents by\n        implementing additional requirements unique to their specific functions. Finally,\n        testing outdated plans may create a false sense of ability to recover operations\n        in a timely manner.\n\n        Recommendations\n\n        We recommend that the Acting Under Secretary, NPPD:\n\n        Recommendation #6:\n\n        Update the NPPD COOP Plan to reflect the current operational structure of its\n        subcomponents and include a risk management process to ensure continuity\n        plans are coordinated between subcomponents and continuity objectives are\n        accomplished.\n\n        Recommendation #7:\n\n        Finalize CS&C\xe2\x80\x99s COOP Plan to reflect the recent alignment and test the plan to\n        ensure that component personnel understand their roles in the event of\n        emergency.\n\n\n\n\n8\n  Federal Continuity Directive 1, Federal Executive Branch National Continuity Program and Requirements, \n\nOctober 2012.\n\n9\n  National Security Presidential Directive \xe2\x80\x93 51/Homeland Security Presidential Directive - 20, National \n\nContinuity Policy, May 2007.\n\n\n\nwww.oig.dhs.gov                                    16                                         OIG-14-02\n\x0c                          OFFICE OF INSPECTOR GENERAL\n                             Department of Homeland Security\n\n       Management Comments and OIG Analysis\n\n       NPPD concurred with recommendation 6. The Acting Under Secretary stated\n       that while the plan may be technically outdated in certain aspects, NPPD does\n       not believe there are any negative impacts associated with the current plan.\n       NPPD is planning to update the current COOP plan later this year. The NPPD\n       COOP Plan has parts that are updated as required, e.g., the Orders of Succession.\n       These Orders of Succession have their own approval documents that may not be\n       fully incorporated into the COOP plan when updates are approved. NPPD\xe2\x80\x99s\n       Office of Business Continuity and Emergency Preparedness, the office\n       responsible for the NPPD COOP Plan, will continue its routine, recurring\n       communication with NPPD\xe2\x80\x99s sub-component COOP points of contacts, ensuring\n       minimal confusion with regard to continuity activities and the roles and\n       responsibilities of all parties in response to all threats.\n\n       We agree with the steps that NPPD has taken and plans to take to begin to\n       satisfy this recommendation. This recommendation will remain open and\n       unresolved until NPPD provides documentation to support that all planned\n       corrective actions are completed.\n\n       NPPD concurred with recommendation 7. The Acting Under Secretary stated\n       that CS&C is in the process of finalizing its draft COOP Plan, which is projected to\n       be completed by the end of September 2013.\n\n       We agree with the steps that NPPD has taken and plans to take to begin to\n       satisfy this recommendation. This recommendation will remain open and\n       unresolved until NPPD provides documentation to support that all planned\n       corrective actions are completed.\n\n\n\n\nwww.oig.dhs.gov                             17                                    OIG-14-02\n\x0c                         OFFICE OF INSPECTOR GENERAL\n                             Department of Homeland Security\n\n\nAppendix A\nObjectives, Scope, and Methodology\nThe Department of Homeland Security (DHS) Office of Inspector General (OIG) was\nestablished by the Homeland Security Act of 2002 (Public Law 107-296) by amendment\nto the Inspector General Act of 1978. This is one of a series of audit, inspection, and\nspecial reports prepared as part of our oversight responsibilities to promote economy,\nefficiency, and effectiveness within the Department.\n\nThe objective of our audit was to determine the effort that DHS has made in\ncoordinating cyber operations across the Federal Government. Specifically, we\ndetermined whether:\n\n       Processes and mechanisms exist to share cyber threat information effectively\n       among the Federal cyber operations centers for steady-state and significant\n       cyber incidents.\n\n       Sharing and dissemination of cyber threat information among DHS and the\n       Federal cyber operations centers are effective.\n\n       Proper training and sufficient resources are provided to NCCIC leadership and\n       key personnel to perform their incident response functions.\n\nOur audit focused on NCCIC\xe2\x80\x99s efforts to coordinate cyber operations across the Federal\nGovernment for compliance with applicable requirements outlined in The Homeland\nSecurity Act of 2002 and The Comprehensive National Cybersecurity Initiative\n(January 2008). We also reviewed requirements for continuity planning within National\nSecurity Presidential Directive \xe2\x80\x93 51/Homeland Security Presidential Directive \xe2\x80\x93 20,\nNational Continuity Policy (May 2007), National Continuity Policy Implementation Plan\n(August 2007) and Federal Continuity Directive 1, Federal Executive Branch National\nContinuity Program and Requirements (October 2012).\n\nWe interviewed selected personnel from NCCIC, CS&C and NPPD, DHS Office of Chief\nInformation Security Officer, Federal Emergency Management Agency, and I&A to\ndiscuss policy, national-level exercises, training, metrics, incident response, and\ninformation sharing. Further, we interviewed selected officials from IC-IRC, DC3, NTOC,\nCYBERCOM, and NCIJTF to obtain their perspective on DHS\xe2\x80\x99 coordination efforts with\nthe other centers. We selected a sample of training records to determine the number\nof NCCIC analysts who received specialized training. In addition, we selected a sample\nof incident reports to evaluate the process and the system used to maintain cyber\nthreat information. Fieldwork was performed in the Washington, DC area.\n\n\nwww.oig.dhs.gov                            18                                   OIG-14-02\n\x0c                          OFFICE OF INSPECTOR GENERAL\n                              Department of Homeland Security\n\n\n\nWe conducted this performance audit between January 2013 and May 2013 pursuant to\nthe Inspector General Act of 1978, as amended, and according to generally accepted\ngovernment auditing standards. Those standards require that we plan and perform the\naudit to obtain sufficient, appropriate evidence to provide a reasonable basis for our\nfindings and conclusions based upon our audit objectives. We believe that the evidence\nobtained provides a reasonable basis for our findings and conclusions based upon our\naudit objectives. Major OIG contributors to the audit are identified in appendix C.\n\nThe principal OIG point of contact for the audit is Frank W. Deffer, Assistant Inspector\nGeneral, Office of Information Technology Audits, at (202) 254-4100.\n\n\n\n\nwww.oig.dhs.gov                             19                                   OIG-14-02\n\x0c                  m  \'\n                         .\n                             .\n                                 OFFICE OF INSPECTOR GENERAL\n                                  Department of Homeland Security\n\n\nAppendix B\nManagement Comments to the Draft Report\n\n                                                                                    Office of the Untlcr Sccrettl f)\'\n                                                                                    Natio nal Pro tediOit snd Progra ms\n                                                                                    li. S. Department or ll omeland Se\n                                                                                    Wa\xe2\x80\xa2hington, DC 20528\n\n\n                                                                        <fSiil!~ Homeland\n                                                                        ~ Security\n                                               SEP S Z013\n          Mr. Charks K. Edwards\n          Deputy Inspector General\n          Office of Inspecto r General\n          TJ.S. De::partrnent of Home land Security\n          Washington. DC 20528\n\n          Dear Mr. Edwards:\n\n          Re: Office of Inspector Ueneral Report DHS Efforts to Coordinate the Activities of Federal\n              Cyber Operations Centers (OIG Project No. 13-023-ITA-NPPD)\n\n          Thank you fo r the opportunity to review and comment on this draft report. The U .S. Department\n          of Homeland Security (DHS) appreciates the Office of Inspector General (OIG) work in\n          planning and conducting its review and issuing this report.\n\n          DHS is pleased to note the OIG\'s recognition of many efforts undertaken to coordinate and s hare\n          vital cyber threat information w ith the six Federa l cyher o perations centers. The National\n          Cybersecurity and Communications Integration Center (NCCIC), a division within the National\n          Protection and Programs Directorate\'s (NPPD) Office ofCybersecurity and Communications\n          (CS&C), has taken steps to coordinate and collaborate with Federal cyhe r operations centers\n          across the Government by establishing partnerships with the centers to respond and coordinate\n          on specific incidents that pose a risk to the United States. NCCIC is increasing interagency\n          collaboration and communi cation through the use of liaisons, telephone calls, email, and regular\n          meetings to leverage the expertise and unique authorities within the different NCC IC branches to\n          execute DHS\' s cybersecurity mission mo re effectively and efficiently. In addition, NCCIC is\n          collaborating w ith the Federal Burt:<tu of Investigation and other partners by issuing Jo int\n          Indicator Bulletins that contain cybe r threat indicators to assist private sector partners in\n          preventing cy be rcrimes and protecting intellectual property, trade secrets, and sensitive business\n          information from crimina l activities. NCCIC is a lso performing functio nal/tabletop and no-\n          notice exercises to e nhance Federal cyber operation centers\' capabilities, validate plans and\n          procedures, and coordinate relationships among partners and enhance related awareness.\n\n          Technical and sensitivity comments have been provided under separate cover.\n\n          DHS\'s N PPD concurs with the draft report\' s seven recommendatio ns. Specifically, the OIG\n          recommended the Acting Under Secretary, NPPD :\n\n          Recommendation 1: Procure or develop tools and techno logies with enhanced incident\n          management and analytical capabil ities that can link situatio nal awareness products to cyber\n          incidents.\n\n\n\n\nwww.oig.dhs.gov                                       20                                                  OIG-14-02\n\x0c                  m  \'\n                         .\n                             .\n                                 OFFICE OF INSPECTOR GENERAL\n                                   Department of Homeland Security\n\n\n\n\n            Response: Concur, NPPD and CS&C continuously work with a broad range of partners to\n            explore new ways to enhance information sharing and deliver operationally relevant data in an\n            efficient and effective manneL CS&C is working through its Network Security Deployment\n            division to improve existing information sharing capabilities and bring new capabi lities online as\n            the Information Sharing environment matures. Release oflnformation Sharing capabilities is\n            planned beginning in Fiscal Year (FY) 2014 and continuing through FY 2017. Technologies and\n            processes to improve discoverability and availability of data between and among the cyber\n            operations centers serve as a foundation to the Information Sharing capability sets\n            (implementation stages). These capabilities, coupled with automated machine-to-machine data\n            transfer, will greatly improve the ability to link data sets and improve situational awareness.\n\n            Recommendation 2: Collaborate with the Department of Defense (DOD) and NIST (National\n            Institute of Standards and Technology) to develop a standard set of incident categories to ensure\n            seamless information sharing between all Federal cyber operations centers.\n\n            Response: Concur. NPPD and CS&C have already taken decisive steps to address this\n            recommendation as evidenced by revision two of N 1ST SP 800-61, published in August 2012.\n            DHS is working with the National Security Staff and the Office of Management and Budget to\n            release new federal reporting guidance in the coming months. While DHS and the Department\n            of Defense (DOD) have distinct mission needs in the cyber environment, DHS will continue to\n            work with DOD to streamline the flow of appropriate information between the two agencies.\n\n            Recommendation 3: Augment staffing shortages by adding additional staffing to execute the\n            Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) mission to provide\n            full coverage on the operations floor.\n\n            Response: Concur. The FY 2014 President\'s Budget Request for the ICS-CERT includes an\n            increase of five full time equivalents. NPPD and CS&C will continue to pursue opportunities to\n            provide additional staffing to enhance the ICS-CERT mission.\n\n            Recommendation 4: Collaborate with I&A (Office of intelligence and Analysis) management to\n            increase the number of its analysts available for continuous coverage at the NCCIC to provide\n            more intelligence and analysis to all sectors.\n\n            Response: Concur. DHS\'s I&A provides all-source intelligence watch and warning, operational\n            support, and analysis and production on current, emerging, and potential threats to NCCIC. I&A\n            also serves as a critical link between the NCCIC and the Intelligence Community (I C) by\n            ensuring DHS information requirements are met and by sharing DHS threat information with the\n            IC. The Under Secretary, I&A, will continue efforts to increase staffing to the NCCIC to\n            provide continuous coverage within the constrained budget and resource environment.\n\n            Recommendation 5: Revise the training and exercise plan to include the new qualifications and\n            standards specified in the Concept of Operations to ensure NCCIC personnel receive the proper\n            training, certifications, and qualifications to perform their assigned duties.\n\n\n\n\nwww.oig.dhs.gov                                       21                                               OIG-14-02\n\x0c                  m       .\n                              .\n                                  OFFICE OF INSPECTOR GENERAL\n                                   Department of Homeland Security\n\n\n\n\n            Response: Concur. To ensure NCCIC personnel are fully trained on processes and procedures,\n            NCCIC personnel participate in internally and externally hosted exercises. NCCIC has begun to\n            expand training opportunities for staff and will continue to do so as funding becomes available.\n\n            Recommendation 6: Update the N.PPU Continuity of Operations (COOP) to reflect the current\n            operational structure of its suhcomponents and include a risk management process to ensure\n            continuity plans are coordinated between subcomponents and continuity objectives are\n            accomplished.\n\n            Response: Concur with the recommendation that the plan be updated. While the plan may be\n            teclmically outdated in ~:ert<Jin l!Spects, NPPD does not believe there are any negative impacts\n            associated with using the current plan. NPPD is planning to update the current COOP plan later\n            this year. The NPPD COOP Plan - as is the case with all similar COOP plans - is a living\n            document and has parts that are updated as required, e.g. the Orders of Succession. These Orders\n            of Succession have their own approval documents that may not be fully incorporated into the\n            COOP plan when updates are approved. NPPD\'s Office of Business Continuity and Emergency\n            Preparedness, the office responsible for the NPPD COOP Plan, will continue its routine,\n            recurring communication with NPPD\'s Subcomponent COOP points of contacts, ensuring\n            minimal confusion with regard to continuity activities and the roles and responsibilities of all\n            parties in response to all threats. Implementation of this recommendation is NPPD\'s\n            responsibility as opposed to CS&C.\n\n            Recommendation 7: Finalize CS&f:\'s COOP to reflect the recent alignment and test the plan to\n            ensure that component personnel understand their roles in the event of emergency.\n\n            Response: Concur. Currently, CS&C is in the process of finalizing its draft COOP Plan which is\n            projected to be completed by the end of September 2013.\n\n            We look forward to working with you on future homeland security engagements.\n\n\n                                                 Sincerely,\n\n\n                                            =A~~~Suzanne E. Spaulding\n                                                 Acting Under Secretary\n\n\n\n\nwww.oig.dhs.gov                                       22                                                OIG-14-02\n\x0c                       OFFICE OF INSPECTOR GENERAL\n                           Department of Homeland Security\n\n\nAppendix C\nMajor Contributors to This Report\nChiu-Tong Tsang, Director\nTarsha Cary, IT Audit Manager\nShannon Frenyea, Senior Program Analyst\nMegan Ryno, Program Analyst\nSheldon Liggins, IT Auditor\nScott He, Referencer\n\n\n\n\nwww.oig.dhs.gov                           23                 OIG-14-02\n\x0c                         OFFICE OF INSPECTOR GENERAL\n                            Department of Homeland Security\n\n\nAppendix D\nReport Distribution\nDepartment of Homeland Security\n\nSecretary\nDeputy Secretary\nChief of Staff\nDeputy Chief of Staff\nGeneral Counsel\nExecutive Secretary\nDirector, GAO/OIG Liaison Office\nAssistant Secretary for Office of Policy\nAssistant Secretary for Office of Public Affairs\nAssistant Secretary for Office of Legislative Affairs\nActing Assistant Secretary, Cybersecurity and Communications\nActing Chief Information Officer\nDeputy Chief Information Officer\nChief Information Security Officer\nDirector, National Cybersecurity and Communications Integration Center\nDirector, Compliance and Oversight Program, Office of Chief Information Security Office\nDirector of Local Affairs, Office of Intergovernmental Affairs\nAudit Liaison, NPPD\nAudit Liaison, DHS, Chief Information Security Office\nAudit Liaison, DHS, Chief Information Officer\nAudit Liaison, CS&C\nActing Chief Privacy Officer\n\nOffice of Management and Budget\n\nChief, Homeland Security Branch\nDHS OIG Budget Examiner\n\nCongress\n\nCongressional Oversight and Appropriations Committees, as appropriate\n\n\n\n\nwww.oig.dhs.gov                           24                                  OIG-14-02\n\x0cADDITIONAL INFORMATION AND COPIES\n\nTo obtain additional copies of this document, please call us at (202) 254-4100, fax your\nrequest to (202) 254-4305, or e-mail your request to our Office of Inspector General\n(OIG) Office of Public Affairs at: DHS-OIG.OfficePublicAffairs@oig.dhs.gov.\n\nFor additional information, visit our website at: www.oig.dhs.gov, or follow us on Twitter\nat: @dhsoig.\n\nOIG HOTLINE\n\nTo expedite the reporting of alleged fraud, waste, abuse or mismanagement, or any\nother kinds of criminal or noncriminal misconduct relative to Department of Homeland\nSecurity (DHS) programs and operations, please visit our website at www.oig.dhs.gov\nand click on the red tab titled "Hotline" to report. You will be directed to complete and\nsubmit an automated DHS OIG Investigative Referral Submission Form. Submission\nthrough our website ensures that your complaint will be promptly received and\nreviewed by DHS OIG.\n\nShould you be unable to access our website, you may submit your complaint in writing\nto:\n\n       Department of Homeland Security \n\n       Office of Inspector General, Mail Stop 0305 \n\n       Attention: Office of Investigations Hotline \n\n       245 Murray Drive, SW \n\n       Washington, DC 20528-0305 \n\n\nYou may also call 1(800) 323-8603 or fax the complaint directly to us at\n(202) 254-4297.\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'